74e23e30cecb8d4af291612797235edd36bf1b18f901e9e2b80d600b2f1f55e4

Analysis

max time kernel
147s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41ca1001b6d5be576633500f1e794509.exe
Size

285KB
MD5

41ca1001b6d5be576633500f1e794509
SHA1

f1003a000136a9c6bb02022e0c5500bcb4db7326
SHA256

74e23e30cecb8d4af291612797235edd36bf1b18f901e9e2b80d600b2f1f55e4
SHA512

b4d389fa4e2d250de576442b3ccdb354840c3548439ef4c1ab527e51f037dad85ab6f8bb72e5d07649da5e7e1dc7a664656c8118ce4ed95a95ceee183c901652
SSDEEP

6144:/cWESPHaaBrjy1VPFy4ujGfEubV0iQXwGchKMEaPmsnExsz9a9:kaSaF27dyrjG8uZoXXkj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
220	svchusts.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchusts.exe	41ca1001b6d5be576633500f1e794509.exe
File opened for modification	C:\Windows\SysWOW64\svchusts.exe	svchusts.exe
File created	C:\Windows\SysWOW64\svchusts.exe	41ca1001b6d5be576633500f1e794509.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	41ca1001b6d5be576633500f1e794509.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	41ca1001b6d5be576633500f1e794509.exe
Token: SeDebugPrivilege	220	svchusts.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 3788	1608	41ca1001b6d5be576633500f1e794509.exe	91
PID 1608 wrote to memory of 3788	1608	41ca1001b6d5be576633500f1e794509.exe	91
PID 1608 wrote to memory of 3788	1608	41ca1001b6d5be576633500f1e794509.exe	91

C:\Users\Admin\AppData\Local\Temp\41ca1001b6d5be576633500f1e794509.exe
"C:\Users\Admin\AppData\Local\Temp\41ca1001b6d5be576633500f1e794509.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:3788

C:\Windows\SysWOW64\svchusts.exe
C:\Windows\SysWOW64\svchusts.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchusts.exe

Filesize
43KB

MD5
a38faa4d20e63f8064437a792442df25

SHA1
4214541f1bb3e52f53763ecd52e0b72575b9c4e8

SHA256
f27c476f4d17121c2282e28d357e5acd973c8cb9bf7f30b3f8738c7a75f41a7f

SHA512
124078cf268124c605c456386261694f933e31b87217d73ae34ef8bbff6293dc8dd3569cfc81b7995628688d0b77d283106ba7484461007d92a4ce8f4321c430

Download Submit
C:\Windows\SysWOW64\svchusts.exe

Filesize
67KB

MD5
cc7570108231f30116a3daca5f931769

SHA1
5c47115a764ef43aba9eeed57ff81b84cc834877

SHA256
0314193d1140023aa2197243f24e50bad472920f79e761525ae35cddaaa77ab5

SHA512
3e826596b5c400c00a3b9ff71fed6bcfa1c97b3b6c4432351303b0d650e9b8f77a01b58eba8df3948b215880c03729325e562b7fea38daa1bc340e3bc0c0e5f0

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
aeb1cf086f514a37508d3643c81441fc

SHA1
f7efa5a5577b98cb50a76f6ba14faeaeaf4f0fa4

SHA256
96bccf38fc90f7eb56ed2357dc43f6aad36058ee192591526974b6dc2354e326

SHA512
cdad85d9637734ac4dc30885afccb8bc940144ef174ba9da948816d376060facfefbc07dc516af6a3e9d54c8f862a9589096a9746311efc9a724391a99743c1d

Download Submit
memory/220-7-0x0000000000400000-0x0000000000516200-memory.dmp

Filesize
1.1MB

Download
memory/220-8-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/220-9-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/220-10-0x0000000000400000-0x0000000000516200-memory.dmp

Filesize
1.1MB

Download
memory/1608-0-0x0000000000400000-0x0000000000516200-memory.dmp

Filesize
1.1MB

Download
memory/1608-1-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1608-2-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1608-13-0x0000000000400000-0x0000000000516200-memory.dmp

Filesize
1.1MB

Download